Re: md5 password deprecation might cause problems with PgBouncer setups
От | Andres Freund |
---|---|
Тема | Re: md5 password deprecation might cause problems with PgBouncer setups |
Дата | |
Msg-id | 42mwthjy5dy5umxojevjgbwgbu4dhrsa7pvisngx337s5cvwxb@bt2qegqnca4k обсуждение исходный текст |
Ответ на | md5 password deprecation might cause problems with PgBouncer setups (Jelte Fennema-Nio <postgres@jeltef.nl>) |
Ответы |
Re: md5 password deprecation might cause problems with PgBouncer setups
|
Список | pgsql-hackers |
Hi, On 2025-06-06 23:48:18 +0200, Jelte Fennema-Nio wrote: > First of all, I'm definitely in favor of sunsetting md5 password auth myself. > > However, I would like to share a possible issue that users might run > into while we're doing this: Apparently the overhead of scram-256 is > much higher in some PgBouncer setups. I expect this to be mostly > setups where there are many short lived connections, but that's a > fairly normal scenario for PgBouncer. The bitnami docker image of > PgBouncer changed the default auth_type to scram-256 around two years > ago[1]. This still results in people reporting perf regressions when > upgrading PgBouncer[2][3]. I assume this is due to the fairly high iteration count we use by default? I know the iteration count is from the RFC, but the explanation in the RFC [1] seems to be aimed at interactive use cases, where a few tens to hundreds of milliseconds or such aren't a significant issue. That's obviously somewhat different for a server application that connects a lot. > I'm not sure how to improve this situation though. Maybe PgBouncer > will continue supporting md5 a while longer. Or we should start > recommending password auth. The single-threaded nature of PgBouncer > also makes these types of perf regressions extra problematic, because > once you hit 100% of the core that PgBouncer is running on, the only > way out is complicating your setup with multiple PgBouncer instances. Which leads me to wonder if what pgbouncer should do is to recommend a different number of scram iterations? That seems better than recommending md5 or password auth. Greetings, Andres Freund [1] https://datatracker.ietf.org/doc/html/rfc7677#section-4
В списке pgsql-hackers по дате отправления: